LoadModule ssl_module modules/mod_ssl.so

Listen 5000
Listen 35357

<Location /secure>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  require valid-user
</Location>

Alias "/secure" "/var/www/html/secure"

<VirtualHost *:5000>
    ServerName https://merlin.hpc.rug.nl:5000
    SSLEngine on
    SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
    SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
    SSLCACertificateFile "/certs/DigiCertCA.crt"
    UseCanonicalName On
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688

    # Added for federation.
    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/local/bin/keystone-wsgi-public/$1

    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>

    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>

    <Location /Shibboleth.sso>
        SetHandler shib
    </Location>

    <Location /v3/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/auth>
        ShibRequestSetting requireSession 1
        AuthType shibboleth
        ShibExportAssertion Off
        Require valid-user

        <IfVersion < 2.4>
            ShibRequireSession On
            ShibRequireAll On
       </IfVersion>
    </Location>

    <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
      AuthType shibboleth
      Require valid-user
      ShibRequestSetting requireSession 1
      ShibRequireSession On
      ShibExportAssertion Off
    </Location>
    <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/nikhefwave/protocols/mapped/websso/">
      AuthType shibboleth
      Require valid-user
    </Location>

</VirtualHost>

<VirtualHost *:35357>
    ServerName https://merlin.hpc.rug.nl:35357
    SSLEngine on
    SSLCertificateFile "/certs/merlin.hpc.rug.nl.crt"
    SSLCertificateKeyFile "/certs/merlin.hpc.rug.nl.key"
    SSLCACertificateFile "/certs/DigiCertCA.crt"
    UseCanonicalName On
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688

    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>

    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>